Skip to main content

Overview

AWS credentials are required to authenticate your Workshop Cloud Chat application with Amazon Web Services. These credentials grant access to AWS Bedrock, S3, and Knowledge Base services.
Security Notice: Never commit your AWS credentials to version control. Store them securely and rotate them regularly.

Required Credentials

Workshop Cloud Chat requires the following AWS credentials:
accessKeyId
string
required
Your AWS Access Key ID. This is a unique identifier associated with your AWS account.Example: AKIAIOSFODNN7EXAMPLE
secretAccessKey
string
required
Your AWS Secret Access Key. This is the secret key paired with your Access Key ID.Example: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
This field is masked as a password input in the configuration dialog.
sessionToken
string
Optional AWS Session Token for temporary security credentials.Used when authenticating with temporary credentials from AWS STS (Security Token Service) or when assuming an IAM role.

Configuration Steps

1

Open Configuration Dialog

Click the gear icon (⚙) next to “Chat con Agente (Amazon Bedrock)” in the main interface to open the configuration dialog.The dialog title will be “Configuración de chat y credenciales”.
2

Enter AWS Credentials

In the “Credenciales AWS” section, enter your credentials:
  • AWS Access Key ID: Enter your access key ID (required)
  • AWS Secret Access Key: Enter your secret access key (required)
  • AWS Session Token: Enter session token if using temporary credentials (optional)
AWS Access Key ID (requerido): AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key (requerido): ••••••••••••••••••••••••••
AWS Session Token (opcional): [Leave blank unless using temporary credentials]
3

Save Configuration

Click the “Guardar” button to save your credentials.The credentials are stored in browser’s localStorage under the key workshop-cloud-chat-config-v1.
4

Verify Configuration

Check the “Resumen de configuración” panel on the right side. You should see:
AWS: credenciales configuradas (AKIAIOSFODNN7EXAMPLE)

How Credentials Are Used

The AWS credentials authenticate API requests to:

Bedrock Agent Runtime

From src/pages/api/chat.ts:31-38: 
const client = new BedrockAgentRuntimeClient({
  region: body.region,
  credentials: {
    accessKeyId: body.accessKeyId,
    secretAccessKey: body.secretAccessKey,
    sessionToken: body.sessionToken || undefined
  }
});

S3 Client

From src/pages/api/upload-pdf.ts:6-19: 
const getS3Client = (
  region: string,
  accessKeyId: string,
  secretAccessKey: string,
  sessionToken?: string
): S3Client =>
  new S3Client({
    region,
    credentials: {
      accessKeyId,
      secretAccessKey,
      sessionToken: sessionToken || undefined
    }
  });

Bedrock Agent Client (Knowledge Base)

From src/pages/api/sync.ts:45-52: 
const client = new BedrockAgentClient({
  region: payload.region,
  credentials: {
    accessKeyId: payload.accessKeyId,
    secretAccessKey: payload.secretAccessKey,
    sessionToken: payload.sessionToken || undefined
  }
});

Obtaining AWS Credentials

1

Sign in to AWS Console

Go to the AWS Management Console and sign in with your account.
2

Navigate to IAM

Search for and open the IAM (Identity and Access Management) service.
3

Create or Select User

  • Go to Users in the left sidebar
  • Either select an existing user or click Add users to create a new one
  • For a new user, select Access key - Programmatic access
4

Attach Required Policies

Ensure the user has permissions for:
  • AmazonBedrockFullAccess (for Bedrock agent interactions)
  • AmazonS3FullAccess (for PDF uploads and document management)
  • Or create a custom policy with specific permissions
5

Create Access Key

  • Go to the Security credentials tab
  • Click Create access key
  • Choose Application running outside AWS
  • Copy the Access Key ID and Secret Access Key
The secret access key is only shown once. Save it securely immediately.

Managing Credentials

Clear Configuration

To remove stored credentials:
  1. Open the configuration dialog
  2. Click “Borrar configuraciones” button
  3. This clears all AWS credentials and Bedrock configuration from localStorage

Update Credentials

To update credentials:
  1. Open the configuration dialog
  2. Enter the new credentials
  3. Click “Guardar” to overwrite the existing configuration

Storage Details

Credentials are stored in the browser’s localStorage with the following structure: From src/pages/index.astro:1144-1154: 
const saveConfig = () => {
  const persisted = {
    aws: state.aws,
    bedrock: state.bedrock,
    s3: state.s3,
    sync: state.sync,
    ui: state.ui,
    executions: state.executions
  };
  localStorage.setItem(STORAGE_KEY, JSON.stringify(persisted));
};
The storage key used is: workshop-cloud-chat-config-v1

Troubleshooting

Invalid Credentials Error

If you receive authentication errors:
  • Verify your Access Key ID and Secret Access Key are correct
  • Check that the IAM user has the required permissions
  • Ensure the credentials haven’t been rotated or disabled

Session Token Expired

If using temporary credentials:
  • Temporary credentials expire after a set duration (usually 1-12 hours)
  • Request new temporary credentials from AWS STS
  • Update the configuration with the new session token

Configuration Not Persisting

If credentials don’t persist across page reloads:
  • Check that browser localStorage is enabled
  • Verify you’re not in private/incognito mode (some browsers restrict localStorage)
  • Check browser console for any localStorage errors

Best Practices

Use IAM Roles

When possible, use IAM roles with temporary credentials instead of long-term access keys.

Principle of Least Privilege

Grant only the minimum permissions required for the application to function.

Rotate Regularly

Rotate access keys every 90 days or when a team member leaves.

Monitor Usage

Use AWS CloudTrail to monitor API calls made with your credentials.

Next Steps

After configuring AWS credentials, proceed to:

Build docs developers (and LLMs) love

Get started for freeTalk to us